3
P1 - Fix in 24 hours
4
P2 - Fix in 72 hours
1
P3 - Next sprint
8
Total Findings
4
Critical (severity)
3
High (severity)
1
Medium (severity)
0
Auto-Fixed
5
Downstream At Risk
3
Compound-Risk

Attack Path Analysis

Reachability + Blast Radius
ATTACK PATHS COMPUTED8
DOWNSTREAM RESOURCES AT RISK5
COMPOUND-RISK RESOURCES3
RESOURCES WITH MULTIPLE FINDINGS

Findings (8)

FID
65a687f4432a
P2 CRITICAL nsg_open_to_internet open
SSH exposed to 0.0.0.0/0
RESOURCEnsg-titandemo-public/BAD-allow-ssh-from-internet
HIPAA CITATIONHIPAA 164.312(e)(1) Transmission Security
RECOMMENDATIONRestrict source to corporate IP ranges or remove rule entirely.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → NSG nsg-titandemo-public → Subnet/NIC → Workload VM
PATH LENGTH3 hops
COMPOUND RISK2 other finding(s) on the same resource — multiplier 2x
DETECTED AT2026-04-26T13:27:02.1133696-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network/Security · ESTIMATED EFFORT: 24-72 hours
  1. Identify which subnet/NIC the NSG attaches to (Get-AzNetworkSecurityGroup)
  2. Replace 0.0.0.0/0 source with corporate CIDR ranges or VPN gateway
  3. Update Azure Firewall + Bastion if RDP/SSH access still needed
  4. Re-scan to verify rule removed
  5. Document change in CAB ticket
FID
071b32f412a2
P2 CRITICAL nsg_open_to_internet open
RDP exposed to 0.0.0.0/0
RESOURCEnsg-titandemo-public/BAD-allow-rdp-from-internet
HIPAA CITATIONHIPAA 164.312(e)(1) Transmission Security
RECOMMENDATIONRestrict source to corporate IP ranges or remove rule entirely.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → NSG nsg-titandemo-public → Subnet/NIC → Workload VM
PATH LENGTH3 hops
COMPOUND RISK2 other finding(s) on the same resource — multiplier 2x
DETECTED AT2026-04-26T13:27:02.1292853-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network/Security · ESTIMATED EFFORT: 24-72 hours
  1. Identify which subnet/NIC the NSG attaches to (Get-AzNetworkSecurityGroup)
  2. Replace 0.0.0.0/0 source with corporate CIDR ranges or VPN gateway
  3. Update Azure Firewall + Bastion if RDP/SSH access still needed
  4. Re-scan to verify rule removed
  5. Document change in CAB ticket
FID
b6c0ed1d8fae
P2 CRITICAL nsg_open_to_internet open
SQL Server exposed to 0.0.0.0/0
RESOURCEnsg-titandemo-public/BAD-allow-sql-from-internet
HIPAA CITATIONHIPAA 164.312(e)(1) Transmission Security
RECOMMENDATIONRestrict source to corporate IP ranges or remove rule entirely.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → NSG nsg-titandemo-public → Subnet/NIC → Workload VM
PATH LENGTH3 hops
COMPOUND RISK2 other finding(s) on the same resource — multiplier 2x
DETECTED AT2026-04-26T13:27:02.1533773-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network/Security · ESTIMATED EFFORT: 24-72 hours
  1. Identify which subnet/NIC the NSG attaches to (Get-AzNetworkSecurityGroup)
  2. Replace 0.0.0.0/0 source with corporate CIDR ranges or VPN gateway
  3. Update Azure Firewall + Bastion if RDP/SSH access still needed
  4. Re-scan to verify rule removed
  5. Document change in CAB ticket
FID
9f2657a3ab56
P1 CRITICAL storage_public_blob open
Anonymous blob access enabled (PHI exposure risk)
RESOURCEsatitandemo2604261324
HIPAA CITATIONHIPAA 164.502 Uses and Disclosures
RECOMMENDATIONSet AllowBlobPublicAccess=false.
PRIORITYP1 · Fix in 24 hours — risk score 75/100
RISK FACTORSInternet-facing · PHI exposure · Business-critical
MITRE ATT&CKT1530 - Data from Cloud Storage
ATTACK PATHInternet → Public Blob Endpoint → PHI/PII Container
PATH LENGTH1 hops
BLAST RADIUS1 storage_account(s): satitandemo2604261324
COMPOUND RISK2 other finding(s) on the same resource — multiplier 2x
DETECTED AT2026-04-26T13:27:02.9928748-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Storage Owner + Privacy · ESTIMATED EFFORT: 1-2 days
  1. Set-AzStorageAccount -AllowBlobPublicAccess $false on the storage account
  2. Audit storage diagnostic logs (last 90 days) for any anonymous reads
  3. If access detected on PHI containers: trigger HIPAA breach assessment within 60 days
  4. Enable Azure Defender for Storage (continuous threat detection)
  5. Configure Storage Firewall: PublicNetworkAccess=Disabled, allowlist VNet subnets
FID
ddf556249b37
P2 HIGH storage_http_allowed open
HTTP traffic allowed - PHI in transit not encrypted
RESOURCEsatitandemo2604261324
HIPAA CITATIONHIPAA 164.312(e)(2)(ii) Encryption
RECOMMENDATIONSet EnableHttpsTrafficOnly=true.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSPHI exposure · Business-critical
MITRE ATT&CKT1040 - Network Sniffing
ATTACK PATHInternet → Public Blob Endpoint → PHI/PII Container
PATH LENGTH1 hops
BLAST RADIUS1 storage_account(s): satitandemo2604261324
COMPOUND RISK2 other finding(s) on the same resource — multiplier 2x
DETECTED AT2026-04-26T13:27:03.0096734-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Storage Owner · ESTIMATED EFFORT: Same day
  1. Set-AzStorageAccount -EnableHttpsTrafficOnly $true
  2. Verify clients support TLS 1.2+ (legacy SDKs may break)
  3. Re-scan to confirm
  4. Update IaC template (Bicep/Terraform) so it doesn't drift back
  5. Document change
FID
4a713e7c6cf5
P1 HIGH storage_public_network open
Storage exposed to all networks (no firewall)
RESOURCEsatitandemo2604261324
HIPAA CITATIONHIPAA 164.312(c)(1) Integrity Controls
RECOMMENDATIONSet PublicNetworkAccess=Disabled or configure NetworkRuleSet.
PRIORITYP1 · Fix in 24 hours — risk score 75/100
RISK FACTORSInternet-facing · PHI exposure · Business-critical
MITRE ATT&CKT1530 - Data from Cloud Storage
ATTACK PATHInternet → Public Blob Endpoint → PHI/PII Container
PATH LENGTH1 hops
BLAST RADIUS1 storage_account(s): satitandemo2604261324
COMPOUND RISK2 other finding(s) on the same resource — multiplier 2x
DETECTED AT2026-04-26T13:27:03.0212220-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Storage Owner + Network · ESTIMATED EFFORT: 1-3 days
  1. Identify all consumers of this storage account (find downstream apps/services)
  2. Configure NetworkRuleSet with VNet allowlist + IP allowlist for build agents
  3. Set PublicNetworkAccess=Disabled
  4. Use Private Endpoints for service-to-service traffic
  5. Re-scan + verify clients still connect via private path
FID
f716be2ce139
P1 HIGH keyvault_public_network open
Key Vault exposed to public network
RESOURCEkv-titandemo-260426-1324
HIPAA CITATIONHIPAA 164.312(a)(1) Access Control
RECOMMENDATIONSet PublicNetworkAccess=Disabled and use private endpoint.
PRIORITYP1 · Fix in 24 hours — risk score 75/100
RISK FACTORSInternet-facing · PHI exposure · Business-critical
MITRE ATT&CKT1528 - Steal Application Access Token
ATTACK PATHInternet → Key Vault Public Endpoint → Secrets/Keys/Certs
PATH LENGTH1 hops
BLAST RADIUS1 key_vault(s): kv-titandemo-260426-1324
COMPOUND RISK1 other finding(s) on the same resource — multiplier 1.5x
DETECTED AT2026-04-26T13:27:04.8879770-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Security + App Owner · ESTIMATED EFFORT: 1-2 days
  1. Inventory which apps/Functions reference secrets in this Key Vault
  2. Set PublicNetworkAccess=Disabled and configure Private Endpoint
  3. Update consumer apps to use Private Endpoint DNS
  4. Test secret retrieval from each consumer
  5. Re-scan
FID
43e2189b2a3f
P3 MEDIUM keyvault_no_purge_protection open
Purge protection disabled - keys can be permanently deleted
RESOURCEkv-titandemo-260426-1324
HIPAA CITATIONHIPAA 164.308(a)(7) Contingency Plan
RECOMMENDATIONEnable purge protection.
PRIORITYP3 · Fix in next sprint (2 weeks) — risk score 25/100
RISK FACTORSBusiness-critical
MITRE ATT&CKT1485 - Data Destruction
ATTACK PATHInternet → Key Vault Public Endpoint → Secrets/Keys/Certs
PATH LENGTH1 hops
BLAST RADIUS1 key_vault(s): kv-titandemo-260426-1324
COMPOUND RISK1 other finding(s) on the same resource — multiplier 1.5x
DETECTED AT2026-04-26T13:27:04.8954452-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Security · ESTIMATED EFFORT: 30 minutes
  1. Enable purge protection: Update-AzKeyVault -EnablePurgeProtection
  2. Confirm soft-delete is also on (cannot disable once purge protection is set)
  3. Document the irreversibility for ops team
  4. Re-scan
TITAN AI · Live Azure scan against rg-titandemo-260426-1324 · AZL-20260426-132706